On Day 23 of the Aadhaar case, the questions posed by the petitioners on the PowerPoint presentation made by the UIDAI were answered. The questions posed included: number of authentication failures and de-duplication rejections, on whether a person’s identity was actually verified or only biometrics matched, whether the documents provided at the time of enrolment were verified and whether any actual verification was done to ensure that the persons enrolling were actually residents for 182 days.
Thereafter, the Attorney General continued his arguments on the constitutionality of Aadhaar.
Questions to the UIDAI
First, the CEO of the UIDAI answered the questions raised by the petitioners.
The main responses provided by the UIDAI are as follows (The full list of the UIDAI’s answers to the petitioner’s questions are here):
1. Six percent authentication failure: On authentication failures, the UIDAI claimed that there were 9.2 lakh failed iris-based authentication transactions or 8.54 percent failure, and 3.6 crores failed fingerprint-based authentication transactions, or six percent failure. The UIDAI could only provide national figures since it did not collect location details (for state-specific details).
2. Biometric exceptions: When questioned on the issue of biometric exceptions, for people such as leprosy patients whose fingerprints failed, UIDAI said that they have the option of using iris-based authentication. A digitally signed QR code in e-Aadhaar has been implemented as an exception handling mechanism, which allows agencies to verify the Aadhaar card in an offline manner. The Section 5 of the Aadhaar Act and Regulation 6 of the Aadhaar (Enrolment and Update) Regulations were cited as the legal backing to biometric exceptions.
3. School as introducer: The school cannot act as an introducer for the enrolment of children aged 5-15 years. Parental consent is required.
4. No opt-out mechanism: There will be no opt-out mechanism under the Aadhaar Act, even once children reach 18 years. People only have the option to lock their biometric authentication.
5. 6.9 Crore de-duplication rejections: So far, there has been 6.9 crore de-duplication rejections by the UIDAI. The UIDAI sees the lack of complaints to the authority or the Courts for denial of Aadhaar numbers as evidence that those who were genuine enrollers have re-registered, and the rest were fraudulent applications.
6. Eighteen crore enrolment packets rejected: As of 2018, 18 crore enrolment packets have been rejected for various reasons including data quality-based rejections (such as incomplete address), head of family or introducer’s biometric validation failed, etc. Further, enrolment packets, even of rejected applications, are archived in the CIDR.
7. Responses to authentication query: It was clarified that Section 8(4) of the Aadhaar Act, which allows a response of ‘yes’, ‘no’, or ‘any other appropriate response’ to an authentication query, refers to either a ‘yes’ or ‘no’ response or to an e-KYC authentication.
8. Verification of enrolment documents: The documents provided for enrolment or updating are verified as genuine or false by the person appointed by the Registrar or Enrolment agency for this purpose.
9. Verifying person’s identity during authentication: The UIDAI was asked if it actually identifies the person, or simply matches biometric received at the time of authentication with its records. To this, the UIDAI simply confirmed that biometric matching is done with its records, and a ‘yes’ response indicates a positive identification of the Aadhaar number holder. The Aadhaar enrolment procedures and the standards of its matching systems were also cited. De-duplication to ensure uniqueness of identity was also cited.
10. Probabilistic matching of biometrics: The UIDAI stated that Aadhaar is based on 1:1 matching, and ‘in that sense’ is not probabilistic. Aadhaar Proof of Concept of Studies was cited which show that over 98 percent people authenticated successfully using Aadhaar.
11. Removal of 49,000 enrolment operators: When asked why 49,000 enrolment operators were removed (failure to verify documents, failure to maintain records of submitted documents, misuse of submitted information or aiding false enrolments), the UIDAI stated that the blacklisting maybe for one of these reasons: illegally charging a resident for Aadhaar enrolment, poor demographic data quality, invalid biometric exceptions, and other process malpractices.
12. Verification of residence of 182 days or illegal immigrants: When asked if any verification was done to ensure that the person enrolling was resident in India for 182 days, or was not an illegal immigrant, the UIDAI stated only the resident’s signed declaration that he had been a resident was required and that Aadhaar could be provided to a foreign national also.
13. Storage of information in biometric readers: Introduction of registered devices, according to the UIDAI, ensures the encapsulation of the biometric capture, signing, and encryption of biometrics all within it. This rules out the possibility of stored biometrics and replay.
14. Retention of data by Aadhaar entities: The UIDAI stated that no logs were required to be kept by entities in relation to IP address of the device, GPS coordinates of the device and purpose of authentication. The data logged by them includes Aadhaar number, parameters of submitted authentication request and response, and record of consent of the Aadhaar number holder for the authentication. When asked to confirm if such entities, AuAs, KuAs, authentication service agencies such as Airtel, etc., formed a part of the Aadhaar architecture, the UIDAI stated that such entities were appointed by it under the Aadhaar (Authentication) Regulations.
15. Traceability features: The UIDAI was asked if ‘traceability’ features allow the UIDAI to track the specific device and its location from where each authentication takes place. The UIDAI responded that it stores data on Authentication User Agency (AUA) code, Authentication Service Agency (ASA) code, unique device code, registered device code used for authentication, but not information on IP address and GPS location.
Aadhaar Act is a just, fair, and a reasonable law.
After completing the responses to the petitioner’s questions, the Attorney General resumed his arguments for the State. He argued that Aadhaar fulfilled the tests laid down in the Puttaswamy judgement for a reasonable restriction on the right to privacy. He argued that Aadhaar collected the least possible data required for the purpose. He also cited the Right to Information Act as an example of a reasonable restriction on privacy in the larger public interest.
The Aadhaar Act, he argued, is a just, fair, and a reasonable law. The motive of Aadhaar was in the larger public interest, to prevent dissipation of social welfare benefits, preventing black money, and money laundering. These, he argued, were legitimate state interests, and further, the Court could not second-guess the intent of the legislature. The Aadhaar Act, thus, meets the test of proportionality by showing a rational nexus between the means used and the goals to be achieved.
The hearings will continue on 4 April 2018.
The author is a lawyer and author specialising in technology laws. She is also a certified information privacy professional.